堆栈内存溢出
  简体   繁体   English

如何通过HTTP请求获取用户X.509证书-(无SSL)

[英]How do you get a users X.509 certificate over an HTTP request - (without SSL)

 原文  2012-08-24 11:39:31       java/ authentication/ x509

问题描述

We would like to authenticate/authorize users using X.509 certificates and groups within LDAP. 我们想使用LDAP中的X.509证书和组对用户进行身份验证/授权。

With Tomcat 5.5 we were able to do this by getting the X.509 cert over SSL and then switching back to http and continue to use the userPrincipal in the request. 使用Tomcat 5.5,我们可以通过在SSL上获得X.509证书,然后切换回http并继续在请求中使用userPrincipal来做到这一点。 Moving to Tomcat 6 and 7 the userPrincipal is no longer available after switching back to http. 切换回Http之后,移至Tomcat 6和7的userPrincipal不再可用。

In this question Can I use SSL certificate without using a HTTPS connection? 在这个问题中, 我可以不使用HTTPS连接就使用SSL证书吗? It is said that you can request the X.509 cert without SSL. 据说您可以在没有SSL的情况下请求X.509证书。 I'm trying to confirm if it is possible and if anyone has an idea how that could be done. 我正在尝试确认是否有可能,是否有人知道如何做到这一点。

1 个解决方案

解决方案1
 3  2012-08-24 12:41:34

Let's think about this for a second. 让我们考虑一下。

User authentication usually goes like this: 用户身份验证通常是这样的:

  1. Ask the client to prove his identity 要求客户证明自己的身份
  2. Receive proof of the user identity 接收用户身份证明
  3. Pass back a unique random string that the client can use to prove his identity in the future (session token). 传回一个唯一的随机字符串,客户端可以在以后用来证明其身份(会话令牌)。

Going back to unencrypted HTTP after authentication is a bad idea. 身份验证后返回未加密的HTTP是一个坏主意。 Everybody can see the session token on the wire. 每个人都可以在网上看到会话令牌。 They can steal it and use it to pose as the user. 他们可以窃取它并使用它来摆姿势作为用户。 See FBController or search on "session hijack" for an example. 请参阅FBController或在“会话劫持”中搜索示例。

Using an unencrypted session to pass the proof of user identity is an equally bad idea. 使用未加密的会话来传递用户身份证明同样是一个坏主意。 Everybody can replay this and pose as the user. 每个人都可以重播此视频并摆出用户名。 Whether you use an X.509 certificate or a username/password: it is all the same thing. 无论您使用X.509证书还是用户名/密码:都是一样的。

If you really really want, you could implement your own pseudo-HTTPS using Javascript. 如果确实需要,则可以使用Javascript实现自己的伪HTTPS。 Yahoo for example used JavaScript to take a salted SHA1 of the user password before sending it over the wire. 例如,雅虎使用JavaScript在通过网络发送用户密码之前先对其添加盐分的SHA1。 You could use Javascript to sign a nonce using the private key of the X.509, and also send over the public certificate. 您可以使用Javascript通过X.509的私钥对随机数进行签名,也可以通过公共证书进行发送。 Beware that you are still open to session hijacking when using this method, so it is only a false sense of security! 请注意,使用此方法时您仍然可以进行会话劫持,因此这只是一种错误的安全感!

A much much better way is to just use standard HTTPS. 更好的方法是仅使用标准HTTPS。 The full connection is encrypted, which means there are no confidentiality issues with passing the user proof, session hijacking or even viewing the information requested by the user. 完整的连接已加密,这意味着通过用户证明,会话劫持甚至查看用户请求的信息都不会出现机密性问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在Spring Boot下运行的REST控制器中获取与HTTPS请求相关的SSL证书(X.509)? - How to get SSL certificate (X.509) relevant to HTTPS request in REST controller running under Spring boot? 如何使用Java中的X.509证书签署HTTP请求? - How do I sign a HTTP request with a X.509 certificate in Java? 证书请求到X.509 - Certificate request to X.509 SSL证书X.509导出 - SSL Certificate X.509 Export 如何在未经用户同意的情况下在ICS上安装(x509 / pk12)证书? - How do you install a (x509 / pk12) certificate on ICS without users consent? 导入 SSL 证书时出错:不是 X.509 证书 - Error Importing SSL certificate : Not an X.509 Certificate 如何在 Java 密钥库中导入现有的 X.509 证书和私钥以在 SSL 中使用? - How to import an existing X.509 certificate and private key in Java keystore to use in SSL? Java httpcleint 使用 X.509 证书发送 SSL 请求 - Java httpcleint send SSL request using X.509 certeficate 如何在Grizzly 2.3中获取X.509客户端证书(使用客户端身份验证时) - How to get X.509 client certificate in Grizzly 2.3 (when using client authentication) 如何从X.509证书生成Java密钥库 - How to generate Java keystore from X.509 Certificate
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM